cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
377
Views
4
Helpful
4
Replies

How can ACS prompt you to change password?

j.mccartney
Level 1
Level 1

I want to setup my ACS to prompt users to change their password say every "X" days. I created a test group and put my account in there and under "Password Aging Rules" I have the following:

Active period = 2 days

Warning period = 1 days

Grace period = 1 days

"Apply age-by-uses rules"

Issue warning after 1 logins *

Require change after 3 logins *

Shouldn't that prompt the user to change the password after 2 days and give a warning for 1 day and 1 grace-period of 1 day and if the user doesn't change the password by then (4 days) the account is locked?

I'm trying to use with wireless users -is this a problem?

any help is appreciated.

John

4 Replies 4

Not applicable

When the password expiry feature is used for users located on the CiscoSecure ACS local database, the CiscoSecure Authentication Agent (CAA) must be installed in order for the password aging rule to work. The CAA is located on the CiscoSecure ACS installation CD in the ACS Utilities folder. Refer the following URL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946b9.shtml

Hello and thanks for your reply. If I read the pdf correctly, since we want to use the Password Aging feature and our dbase is the local ACS database we would not need to run the Auth Agent Configurator in step #3 of page 2.

We would just install the software (CAA) starting with page #3 and reboot, right?

Thanks again.

John

John,

ACS supports four different password aging methods:

.PEAP and EAP-FAST Windows Password Aging-Users must be in the Windows user database and be using a Microsoft client that supports EAP, such as Windows XP. For information on the requirements and configuration of this password aging mechanism, see Enabling Password

Aging for Users in Windows Databases.

.RADIUS-based Windows Password Aging-Users must be in the Windows user database and be

using the Windows Dial-up Networking (DUN) client. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.

.Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session. You can also control whether Cisco Secure ACS propagates passwords changed by this feature. For more information, see Local Password Management.

.Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure

Authentication Agent (CAA) installed.

Hope that helps !

Regards,

~JG

Do rate helpful posts

So from what you stated here we have users in the local ACS database and I want to do password aging which I described in earlier thread. You mentioned telnet, we are authenticating via Radius port 1645, so will this work?

If I install this could it possible prevent my ACS from functioning the way it currently does?

I'm pretty new to ACS so I want to minimize downtime/risks.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: